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DETAILED ACTION 

Claim Rejections - 35 USC §103 
The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 
(1966), that are applied for establishing a background for determining obviousness under 
35 U.S.C. 103(a) are summarized as follows: 

1 . Determining the scope and contents of the prior art. 

2. Ascertaining the differences between the prior art and the claims at issue. 

3. Resolving the level of ordinary skill in the pertinent art. 

4. Considering objective evidence present in the application indicating obviousness 
or nonobviousness. 

Claims 1, 3-9, and 1 1-31 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Applicant's Background of the Invention (ABI hereinafter, Pub no.: 20020138416, please see 
the disclosed background of the invention) in view ofKalyan (US PAT: 6266655), and further 
in view of Norton et al (Norton, hereinafter. Pub No.: 2002/0091699). 
Re claim 1. ABI discloses a method for assessing and/or managing risks for an organization, 
comprising the steps of: (a) inventorying a plurality of assets of the organization, wherein each 
asset is defined to be one of an electronic asset type and a location asset type, and wherein the 
electronic asset type includes computers and networking equipment therefor and the location 
asset type includes physical locations where the electronic asset types are placed (i.e, Inventory 
and definition. In order to measure the theoretical impact of a risk, the organization determines 
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its assets (e.g., electronic devices, electronically stored data, etc.) that are involved in support of 
critical processes, see paras 0015 of the applicant's specification); identifying the plurality of 
assets (i.e., In order to measure the theoretical impact of a risk, the organization determines its 
assets (e.g., electronic devices, electronically stored data, etc.) that are involved in support of 
critical processes. Once assets have been identified, a value is assigned to each asset. This value 
is not only monetary, but also may be tied to loss of reputation or loss of trust. There are a 
number of conventional automated tools which can assist the organization in accomplishing this 
phase of the process. These tools, including Openview (manufactured by Hewlett-Packard Co. of 
Palo Alto, Calif.) and Visio.RTM. Enterprise (manufactured by Microsoft Corp. of Redmond, 
Wash.), are able to map network systems and devices and produce reports showing OS 
(operating system) type, revision level and the services that a system is making available to a 
network, see paras 0015 and 0016), wherein at least a portion of the plurality of assets are 
identified by utilizing a computer to electronically scan the plurality of assets via a network (see 
paras 0019) (b) identifying at least one criterion defining a security objective of the organization 
(i.e., Vulnerability and threat assessment, see paras 0017); (c) identifying one or more 
inventoried assets that relate to the identified criterion (i.e., Once assets have been identified, a 
value is assigned to each asset, see paras 0015), and (e) assessing the risk to the organization 
based on the measured values of the one or more metric equations by utilizing (i.e., Once risk has 
been assessed and identified, the organization can choose to accept the risk, mitigate the risk, or 
transfer the risk, see paras 0024). ABI does not explicitly disclose formulating one or more 
metric equations for each identified criterion by utilizing the computer, each metric equation 
being defined, in part, by the one or more identified assets, wherein each metric equation yields 
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an outcome value when one or more measurements are made relating to the identified assets, and 
storing the identified assets and the at least one criterion in the computer; However, Kalyan 
discloses the formulating and solving of equations for identified criteria utilizing computer (see 
the abstract, also see fig.4 elements 43 and 44). Kalyan does not explicitly disclose storing the 
identified assets and the at least one criterion in the computer. Norton discloses storing the 
identified assets and the at least one criterion in the computer (i.e., standardized asset database, 
see fig. la, see also coll paras 0003). Thus, it would have been obvious to one of ordinary skill 
in the art to incorporate the teachings of Norton into ABI and Kalyan to effectively manage 
access to the asset information. 

Re claim 3. ABI further discloses the method, wherein the step of identifying the plurality of 
assets comprises at least one of: interviewing members of the organization to identify the 
plurality of assets; and manually identifying the plurality of assets (i.e., inventory and definition, 
paras 0015). 

Re claim 4. ABI does not disclose the method, wherein the plurality of assets are defined to be 
one of a user type, a user population type, a data type and a network type in addition to the 
electronic type and the location type, wherein the user type relates to an individual user and the 
user population type relates to a group of users. However, Norton discloses that assets are 
identified using unique identifiers, and further discloses that assets are briefly described in the 
asset database. Thus, this identification and description of assets in the asset database, as taught 
by Norton, reads on the applicant's limitation of "wherein the plurality of assets are defined to be 
one of a user type, a user population type, a data type and a network type in addition to the 
electronic type and the location type." ). Thus, it would have been obvious to one of ordinary 
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skill in the art to incorporate the teachings of Norton into ABI and Kalyan to effectively manage 
access to the asset information. 

Re claim 5 . ABI does not explicitly disclose the method, further comprising the step of: 
establishing at least one relationship between the plurality of assets. However, Norton makes this 
disclosure (see fig. 8, also see col.4 paras 0085-0090). Thus, it would have been obvious to one 
of ordinary skill in the art to incorporate the teachings of Norton into ABI and Kalyan to 
effectively manage access to the asset information. 

Re claims 6, 7, 8. Claims 6, 7 and 8 recite similar limitations to claim 5 and thus rejected using 
the same art and rationale as in claim 5 supra. 

Re claim 9. Claim 9 recites similar limitations to claim 1 and thus rejected using the same art 
and rationale as in claim 1 supra. 

Re claim 11. ABI further discloses the computer system further configured to identify the 
plurality of assets by electronically scanning at least a portion of the plurality of assets via a 
network (see paras 0019). 

Re claim 12. Claim 12 recites similar limitations to claim 4 and thus rejected using the same art 
and rationale as in claim 4 supra. 

Re claims 13, 14, 15. Claims 13, 14 and 15 recite similar limitations to claim 5 and thus rejected 
using the same art and rationale as in claim 5 supra. 

Re claim 16. ABI further discloses the computing system, wherein means (c) further comprises: 
identifying further configured to identify one or more inventoried assets that relate to the 
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identified criterion based on the at least one established relationship between the plurality of 
assets (see paras 0015 and 0016). 

Re claim 17. Claim 17 recites similar limitations to claim 1 and thus rejected using the same art 
and rationale as in claim 1 supra 

Re claim 18. ABI further discloses the system , wherein the computer is further configured to: 
electronically scan the plurality of assets (i.e., There are a number of tools available to 
electronically scan electronic devices and assess vulnerabilities within electronic devices, see 
paras 0019); interview members of the organization to identify the plurality of assets; and 
manually identify the plurality of assets (i.e., inventory and definition, paras 0015). 
Re claim 19. Claim 19 recites similar limitations to claim 4 and thus rejected using the same art 
and rationale as in claim 4 supra. 

Re claim 20. ABI does not explicitly disclose the method, further comprising the step of: 
establishing at least one relationship between the plurality of assets. However, Norton makes this 
disclosure (see fig.8, also see col.4 paras 0085-0090). Thus, it would have been obvious to one 
of ordinary skill in the art to incorporate the teachings of Norton into ABI and Kalyan to 
effectively manage access to the asset information. 

Re claim 21, 22 and 23. Claim 21, 22 and 23 recite similar limitations to claim 20 and thus 
rejected using the same art and rationale as in claim 20 supra. 

Re claim 24. Claim 24 recites similar limitations to claim 1 and thus rejected using the same art 
and rationale as in claim 1 supra. 

Re claim 25. ABI discloses the method wherein the step (a) comprises the step of: identifying 
the plurality of assets (see paras 001 5-00 16except for storing the identified assets into a database. 
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However, Norton makes this disclosure (i.e., standardized asset database, see fig. la, see also 
col. 1 paras 0003). Thus, it would have been obvious to one of ordinary skill in the art to 
incorporate the teachings of Norton into ABI and Kalyan to effectively manage access to the 
asset information. 

Re claim 26. Claim 26 recites similar limitations to claim 3 and thus rejected using the same art 
and rationale as in claim 3 supra. 

Re claim 27. Claim 27 recites similar limitations to claim 4 and thus rejected using the same art 
and rationale as in claim 4 supra. 

Re claim 28. ABI does not explicitly disclose the method, further comprising the step of: 
establishing at least one relationship between the plurality of assets. However, Norton makes this 
disclosure (see fig.8, also see col.4 paras 0085-0090). Thus, it would have been obvious to one 
of ordinary skill in the art to incorporate the teachings of Norton into ABI and Kalyan to 
effectively manage access to the asset information. 

Re claims 29, 30, 31. Claims 29, 30 and 31 recite similar limitations to claim 28 and thus 
rejected using the same art and rationale as in claim 28 supra. 

Response to Arguments 
The applicant argues in substance that the primary reference, ABI, fails to teach "a location asset 
type that includes the physical location of an electronic asset." Contrary to the applicant's 
assertion, ABI teaches "In order to measure the theoretical impact of a risk, the organization 
determines its assets (e.g., electronic devices, electronically stored data, etc.) that are involved in 
support of critical processes, see paras 0015 of the applicant's specification." Thus the examiner 
contends that the assets that are determined by the organization encompass all asset types. 
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Further, Paragraph 0015 of applicant's background of the invention clearly states that the 
organization determines its assets which obviously include location and electronic asset types. 

The applicant further argues that ABI fails to disclose identifying at least one criterion 
defining a security objective of the organization. Contrary to the applicant's assertion, ABI 
teaches Vulnerability and threat assessment, see paras 0017 of applicant's background of the 
invention. The examiner contends that Vulnerability and threat assessment are criteria defining a 
security objective of the organization. 

The applicant further argues that ABI fails to teach identifying one or more inventoried 
assets that relate to the identified criterion. Contrary to applicant's assertion, ABI teaches 
identifying assets and assigning a value to each asset, see paras 0015 of applicant's background 
of the invention. 

The applicant further argues that ABI fails to teach assessing the risk to the organization 
based on the measured values of the one or more metric equations. Contrary to the applicant's 
assertion, ABI teaches identifying and assessing the risk of the organization, see paras 0024 of 
applicant's background of the invention. 

The applicant further argues that, the secondary reference, Kalyan fails to disclose 
"formulating one or more metric equations for each identified criterion." Contrary to the 
applicant's assertion, Kalyan discloses a method of valuing resources of an asset intensive 
manufacturer by setting up equations and solving each equation for the resource variables (see 
the abstract, also see fig. 4 elements 43 and 44). The examiner contends that since identified 
criterion, as claimed by the applicant, is a measured variable, and since Kalyan teaches setting up 
and solving equations for measured variable (i.e., resources of an asset intensive manufacturer), 
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Kalyan teaching certainly meets the applicant's claimed limitation of "formulating one or more 
metric equations for each identified criterion." 

The applicant further argues that, the secondary reference, Norton fails to disclose 
"establishing at least one relationship between the pluralities of assets." Contrary to the 
applicant's assertion, Norton explicitly discloses "establishing at least one relationship between 
the pluralities of assets." (i.e., fig. 8 of Norton clearly shows at least one relationship between the 
pluralities of assets, please see fig. 8 of Norton). 

The applicant further argues that Norton fails to disclose "linking a first asset defined to 
be in one asset type with a second asset defined to be in another asset type." Contrary to the 
applicant's assertion, Fig. la of Norton discloses a standardized asset database, wherein different 
asset types are inherently linked together. 

The applicant further argues that the prior arts fail to teach "wherein the plurality of 
assets are defined to be one of a user type, a user population type, a data type and a network type 
in addition to the electronic type and the location type, wherein the user type relates to an 
individual user and the user population type relates to a group of users." Contrary to the 
applicant's assertion, Norton discloses that assets are identified using unique identifiers, and 
further discloses that assets are briefly described in the asset database. Thus, this identification 
and description of assets in the asset database, as taught by Norton, reads on the applicant's 
limitation of "wherein the plurality of assets are defined to be one of a user type, a user 
population type, a data type and a network type in addition to the electronic type and the location 
type." ). 
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The applicant further argues that Norton fails to disclose establishing at least one 
relationship between the plurality of assets. However, the asset lookup database shown in fig. 8 of 
Norton clearly shows relationship between the plurality of assets. Please see fig. 8 of Norton. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to OJO O. OYEBISI whose telephone number is (571)272-8298. 
The examiner can normally be reached on 8:30A.M-5 :30P.M. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Thomas Dixon can be reached on (571)272-6803. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/OJO O OYEBISI/ 
Examiner, Art Unit 3696 
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